DigiNotar hacker says he stole huge GlobalSign cache
An internet user with proven ties to the DigiNotar hack claims he stole email, customer data and other sensitive data from two competing web authentication authority that will be released publicly soon. In a statement posted Thursday, an individual calling himself Comodohacker expanded on previous claims that he breached the …
This topic is closed for new posts.
Startcom
Startcom's website admitted a breach a few months ago, and their service was offline for some time as a result... Perhaps this was the same attack?
Yes, of COURSE it must have been...
... sponsored by the Iranian government, then the CAs can say "We were not breached by one person with too much time on their hands because we are incompetent; we are under attack from a hostile, state under sanctions from the UN!!1!1!oneone... Send in the bombers!"
state sponsored
It's state sponsored in the same way the comodo breaches were: the IP provided by Comodo was involved with the breaches. Thing is, its user used a video how to site to learn about MITM and downloaded sslsniff from Moxie Marlinspike website leaving a HTTP referrer...
Remember, to a CEO, any computer user that knows WinKey+R opens Run dialog and "cmd" is the shell executable is "sophisticated".
Whole CA business is a security theater, now we finally see that the gold is painted and mahogany is made from pine wood.
Another false flag operation, more like.
> "a totally a state-sponsored attack on the PK infrastructure"
> guy turns up, bragging about the exploits
retard.jpg
Public education
The guy was taught in public school, the school is sponsored by Iranian government, ergo the attack was sponsored by Iranian government. QED.
I think you mean,
"claims Microsoft made Monday that fraudulently issued certificates for domains including *.microsoft.com and *.windowsupdate.com could *NOT* be used to hijack Microsoft's security update system."
And I think Microsoft is right in that the certificate isn't enough, you also have to bend DNS or bend the network to make PCs communicate with your evil server instead of the real one.
And I think it's still illegal to supply Microsoft Windows or other American software to Iran anyway, which logically would also include Windows updates. I've been expecting that that'd be the next law case against Linux, whose licence doesn't include that rule.
"I've been expecting that that'd be the next law case against Linux"
Lawsuit against whom? What makes so many people feel that 'Linux' is some kind of legal entity?
Re: Microsoft is right
If we believe Microsoft's claim that updates have to be signed by the Microsoft root CA, then even persuading clients to talk to your fraudulent server wouldn't be enough to hijack Windows Update.
And this is a *very* plausible claim. In fact, I'd be quite shocked if it weren't true.
on state sponsored
Remember, to a CEO, any computer user that knows WinKey+R opens Run dialog and "cmd" is the shell executable is "sophisticated".
***
Really priceless quote.
PKI has been hamstrung by the "good enough" approach long enough, as have been most parts of the Internet infrastructure. The mere mention of "you also have to bend DNS" immediately brought to mind the cache poisoning exploit discovered 3 years ago. In that case the most troubling quote I saw was from Kaminsky himself, when he said, "this is how the Internet works."
This topic is closed for new posts.
